-
Notifications
You must be signed in to change notification settings - Fork 21.4k
/
content_security_policy.rb
85 lines (76 loc) · 2.6 KB
/
content_security_policy.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# frozen_string_literal: true
module ActionController # :nodoc:
module ContentSecurityPolicy
extend ActiveSupport::Concern
include AbstractController::Helpers
include AbstractController::Callbacks
included do
helper_method :content_security_policy?
helper_method :content_security_policy_nonce
end
module ClassMethods
# Overrides parts of the globally configured +Content-Security-Policy+
# header:
#
# class PostsController < ApplicationController
# content_security_policy do |policy|
# policy.base_uri "https://www.example.com"
# end
# end
#
# Options can be passed similar to +before_action+. For example, pass
# <tt>only: :index</tt> to override the header on the index action only:
#
# class PostsController < ApplicationController
# content_security_policy(only: :index) do |policy|
# policy.default_src :self, :https
# end
# end
#
# Pass +false+ to remove the +Content-Security-Policy+ header:
#
# class PostsController < ApplicationController
# content_security_policy false, only: :index
# end
def content_security_policy(enabled = true, **options, &block)
before_action(options) do
if block_given?
policy = current_content_security_policy
instance_exec(policy, &block)
request.content_security_policy = policy
end
unless enabled
request.content_security_policy = nil
end
end
end
# Overrides the globally configured +Content-Security-Policy-Report-Only+
# header:
#
# class PostsController < ApplicationController
# content_security_policy_report_only only: :index
# end
#
# Pass +false+ to remove the +Content-Security-Policy-Report-Only+ header:
#
# class PostsController < ApplicationController
# content_security_policy_report_only false, only: :index
# end
def content_security_policy_report_only(report_only = true, **options)
before_action(options) do
request.content_security_policy_report_only = report_only
end
end
end
private
def content_security_policy?
request.content_security_policy
end
def content_security_policy_nonce
request.content_security_policy_nonce
end
def current_content_security_policy
request.content_security_policy&.clone || ActionDispatch::ContentSecurityPolicy.new
end
end
end